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To:         Fernanda Young, Chief Information Officer

From:       Arturo Cornejo AC
            Acting Assistant Inspector General for Audits

Subject:    Fiscal Year 2013 Information Security Program and Practices Audit
            OIG-AR-14-03

Date:       March 26, 2014


This memorandum transmits Cotton & Company LLP’s audit report of Export-
Import Bank’s (Ex-Im Bank) Information Security Program for Fiscal Year 2013.
Under a contract monitored by this office, we engaged the independent public
accounting firm of Cotton & Company to perform the audit. The objective of the
audit was to determine whether the Ex-Im Bank developed adequate and effective
information security policies, procedures, and practices in compliance with the
Federal Information Security Management Act of 2002 (FISMA).

Cotton & Company determined that overall Ex-Im Bank continues to improve and
strengthen its information security program and is addressing the challenges in
each of the areas that the Office of Management and Budget identified for the fiscal
year 2013 FISMA review. However, Ex-Im Bank is not compliant with all FISMA
requirements. The report contains six recommendations for corrective action.
Management concurred with the recommendations and we consider management’s
proposed actions to be responsive. The recommendations will be closed upon
completion and verification of the proposed actions.

We appreciate the cooperation and courtesies provided to Cotton & Company and
this office during the audit. If you have questions, please contact Julie Wong
(202) 565-3920 Julie.Wong@exim.gov, or me at (202) 565-3499
Arturo.Cornejo@exim.gov. You can obtain additional information about the Export-
Import Bank Office of Inspector General and the Inspector General Act of 1978 at
www.exim.gov/oig.



cc:     Fred P. Hochberg, Chairman and President
        C.J. Hall, Executive Vice President and Chief Risk Officer
        Michael Cushing, Senior Vice President and Chief Operating Officer
        Audit Committee



                   811 Vermont Avenue, NW Washington, D.C. 20571
John Lowry, Director, Information Technology Security and Systems
  Assurance
Inci Tonguch-Murray, Business Compliance Officer
Cristopolis Dieguez, Business Compliance Analyst
George Bills, Partner, Cotton & Company LLP
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